Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation

Configuring BPDU Protection on an Interface (CLI Procedure)

EX Series switches support spanning-tree protocols that prevent loops in a network by creating a tree topology (spanning-tree) of the entire bridged network. All spanning-tree protocols use a special type of frame called bridge protocol data units (BPDUs) to communicate with each other. Other devices in the network, such as PCs, generate their own BPDUs that are not compatible with the spanning-tree BPDUs. When BPDUs generated by other devices are transmitted to switches on which spanning-tree protocols are configured, a misconfiguration can occur in the spanning tree and a network outage can occur. Therefore, it is necessary to protect an interface in a spanning-tree topology from BPDUs generated from other devices.

You can enable BPDU protection on interfaces that are configured as edge ports by using the bpdu-block-on-edge command. If you have not configured a port as an edge port, you can still configure BPDU protection on the interface by using the bpdu-block command under the set ethernet-switching-options hierarchy. You can also use the bpdu-block command to configure BPDU protection on interfaces configured for a spanning-tree.

This topic describes:

Configuring BPDU protection For Edge Interfaces

In a spanning-tree topology, if a switch is an access switch then interfaces on that switch will be connected to end devices such as PCs, servers, routers, or hubs, that are not connected to other switches. You configure these interfaces as edge interfaces because they directly connect to end devices. Interfaces that are configured as edge interfaces can transition to a forwarding state immediately because they cannot create network loops. A switch detects edge ports by noting the absence of communication from the end stations. As edge ports are connected to end devices, it is imperative that you configure BPDU protection on edge ports to protect the switch from outside BPDUs. If BPDU protection is enabled on an edge interface, the interface shuts down on encountering an outside BPDU thereby preventing any traffic from passing through the interface. You can re-enable the interface either by using the disable-timeout command while configuring BPDU protection, or by issuing the clear ethernet-switching bpdu-error operational mode command. The clear ethernet-switching bpdu-error command will only re-enable an interface but the BPDU configuration for the interface will continue to exist unless you explicitly remove the BPDU configuration.

To configure BPDU protection on an edge interface of a switch:

Note: Ensure that the switch is connected to an end device.

  1. Configure any spanning-tree protocol on the switch if not configured already. RSTP is configured in this procedure.

    Note: The Rapid Spanning Tree Protocol (RSTP) is configured by default on a switch.

    [edit protocols]
    user@switch# set rstp
  2. Enable RSTP on a specific interface and set a priority for the interface—for example, ge-0/0/0.0:
    [edit protocols]
    user@switch# set rstp interface ge-0/0/0.0 priority 16
  3. Configure the ge-0/0/0.0 interface as an edge interface and enable BPDU protection on that interface:
    [edit protocols]
    user@switch# set rstp bpdu-block-on-edge interface ge-0/0/0.0 edge
  4. Commit the configuration:
    [edit]
    user@switch# commit
  5. Verify that BPDU protection is configured properly on the edge interface (ge-0/0/0.0):
    • Run the show ethernet-switching interfaces operational mode command to ensure that BPDU protection is configured on the edge interface:
      user@switch> show ethernet-switching interfaces
      Interface    State  VLAN members     Tag   Tagging     Blocking
ge-0/0/0.0   down   default                untagged   Disabled by bpdu-control
me0.0        up     mgmt                   untagged   unblocked

      In this output, you note that the ge-0/0/0.0 interface is down because it has received BPDUs from the end device. Also, note that the state of the Blocking field is Disabled by bpdu-control, which indicates that the port is disabled because of BPDU protection.

    • Run the show spanning-tree interfaces operational mode command to ensure that the ge-0/0/0.0 interface is not displayed in the output.

Configuring BPDU Protection for Interfaces (Port Shutdown Mode)

In a spanning-tree network, you might need to configure BPDU protection on interfaces that are not explicitly configured as edge interfaces. In such cases, use the set ethernet-switching-options bpdu-block configuration command for BPDU protection. When you use this command, you can configure for the interface to either shutdown, or to only drop the BPDU packets and retain its state as up, on receiving incompatible BPDU packets. For the procedure to configure an interface to drop BPDU packets and to retain its status as up, see Configuring BPDU Protection for Interfaces (BPDU Drop Mode). For configuring an interface to only drop incompatible BPDU packets and to retain the interface state as up, no spanning-tree protocol must be configured on the interface and also on the switch.

This section discusses the procedure to shutdown an interface when it receives incompatible BPDU packets. To configure an interface to shutdown upon receipt of incompatible BPDUs, a spanning-tree protocol may or may not be configured on the interface or switch.

To configure BPDU shutdown protection on interfaces:

Note: Ensure that the switch on which you are configuring BPDU protection is connected to a peer device.

  1. Ensure that the interface on which you want to enable BPDU protection, is up and unblocked. For example, if you want to configure BPDU protection on the ge-0/0/0.0 interface, following is the output of the show ethernet-switching interfaces command if the interface is up and unblocked:
    user@switch> show ethernet-switching interfaces
    Interface    State  VLAN members        Tag   Tagging  Blocking
ge-0/0/0.0   up     default                   untagged unblocked

    In this output, note that the state of the ge-0/0/0.0 interface is up and the value for the Blocking field is unblocked.

  2. (Optional) Configure any spanning-tree protocol on the switch if not configured already. The Rapid Spanning Tree Protocol (RSTP) is configured in this procedure.
    [edit protocols]
    user@switch# set rstp

    Note: The Rapid Spanning Tree Protocol (RSTP) is configured by default on a switch.

  3. Enable RSTP on a specific interface—for example, ge-0/0/0.0:
    [edit protocols]
    user@switch# set rstp interface ge-0/0/0.0
  4. (Optional) Ensure that the spanning-tree protocol is configured on the ge-0/0/0.0 interface:
    user@switch> show spanning-tree interface
    Spanning tree interface parameters for instance 0

Interface    Port ID    Designated      Designated         Port    State  Role
                         port ID        bridge ID          Cost
ge-0/0/0.0     128:513       16:513   8192.841888af0681     20000  FWD    ROOT

    In this output, the ge-0/0/0.0 interface is displayed because a spanning-tree protocol is configured on this interface.

  5. Enable the BPDU protection on the interface (ge-0/0/0.0) so that the interface shuts down on receiving incompatible BPDU packets:
    [edit]
    user@switch# set ethernet-switching-options bpdu-block interface ge-0/0/0.0 shutdown
  6. Commit the configuration change:
    [edit]
    user@switch# commit
  7. Verify that the BPDU protection is configured on the interface:
    • Run the show ethernet-switching interfaces operational mode command to ensure that the BPDU protection is configured on the interface:
      user@switch> show ethernet-switching interfaces
      Interface    State  VLAN members     Tag   Tagging     Blocking
ge-0/0/0.0   down   default                untagged    Disabled by 
                                                             bpdu-control

      In this output, note that the state of the ge-0/0/0.0 interface is down because it has received incompatible BPDUs from another device. Also, note that the value of the Blocking field is Disabled by bpdu-control, which indicates that the port is disabled because of BPDU protection.

    • Run the show spanning-tree interfaces operational mode command to ensure that the ge-0/0/0.0 interface is not displayed in the output.

Configuring BPDU Protection for Interfaces (BPDU Drop Mode)

For certain access switches, you might want interfaces on the switch not to shutdown on encountering incompatible BPDU packets; instead, only drop incompatible BPDU packets while allowing the remaining traffic to pass through. Such an interface must not have a spanning-tree protocol configured on it, so that packets that pass through the interface will not cause STP misconfiguration and consequent network outages.

To configure BPDU protection for an interface to only drop incompatible BPDU packets and to allow the remaining traffic to pass through, while retaining the interface status as up:

Note: Ensure that the switch on which you are configuring BPDU protection is connected to a peer device.

  1. Delete or disable any spanning-tree protocol (for instance, RSTP as in this procedure) configured on the switch or on any interface.
    • To delete a spanning-tree protocol on the entire switch:
      [edit]
      user@switch# delete protocols rstp

      Or,

      [edit]
      user@switch# set protocols rstp disable
    • To delete a spanning-tree protocol on a specific interface (for example, ge-0/0/0.0) on the switch:
      [edit]
      user@switch# set protocols rstp interface ge-0/0/0.0 disable

    Note: As RSTP is configured on a switch by default, ensure that you delete or disable RSTP even though you had not configured it explicitly.

  2. Ensure that the interface on which you want to enable the BPDU protection, is up and unblocked. For example, if you want to configure the BPDU protection on the ge-0/0/0.0 interface, following is the output of the show ethernet-switching interfaces command if the interface is up and unblocked:
    user@switch> show ethernet-switching interfaces
    Interface    State  VLAN members        Tag   Tagging  Blocking
ge-0/0/0.0   up     default                   untagged unblocked

    In this output, note that the state of the ge-0/0/0.0 interface is up and the value for the Blocking field is unblocked.

  3. Enable the BPDU protection on the interface (ge-0/0/0.0 in this procedure) to drop BPDU packets:
    [edit]
    user@switch set ethernet-switching-options bpdu-block interface ge-0/0/0.0 drop
  4. Commit the configuration:
    [edit]
    user@switch# commit
  5. Verify that the BPDU protection is configured on the interface:
    • Run the show ethernet-switching interfaces operational mode command to ensure that the BPDU protection is configured on the interface:
      user@switch> show ethernet-switching interfaces
      Interface    State  VLAN members     Tag   Tagging  Blocking
ge-0/0/0.0   up     default               untagged unblocked-xSTP bpdu 
                                                         filter enabled

      In this output, note that the ge-0/0/0.0 interface is up even though it has received incompatible BPDU packets because the drop feature is configured for this interface. Also, note that the state of the Blocking field is unblocked-xSTP bpdu filter enabled, which indicates that the BPDU drop feature is enabled on this interface.

    • Run the show spanning-tree interfaces operational mode command to ensure that the ge-0/0/0.0 interface is displayed in the output and that the State of the interface is DIS, which indicates that the interface discards all incompatible BPDUs:
      user@switch> show spanning-tree interface
      Spanning tree interface parameters for instance 0

Interface  Port ID  Designated   Designated      Port   State   Role
                     port ID      bridge ID       Cost
ge-0/0/0.0 128:513   16:513    8192.841888af0681  20000   DIS    DIS
 

Related Documentation

 

Published: 2014-04-23

Previous Page Next Page